• This position demands strong analytical, technical, relationship, and communication skills. The role of the CISO in local government includes the governance, risk, and compliance (GRC) function. The CISO is responsible for developing and implementing policies and procedures to protect the organization's information assets, as well as ensuring that the organization remains in compliance with relevant laws and regulations. The CISO also plays a critical role in managing the organization's cybersecurity budget.

  The key responsibilities of the CISO will include the following:

• Information Security Strategy: Developing and implementing a comprehensive information security strategy aligned with the city's goals and objectives. This involves assessing risks, defining security policies, and establishing security standards and guidelines.

• Risk Management: Identifying, evaluating, and prioritizing potential information security risks to the City of Norfolk. Conducting risk assessments and developing risk mitigation strategies, including the selection and implementation of appropriate security controls.

• Incident Response: Developing and implementing an incident response plan to effectively respond to and manage security incidents. Establishing protocols for incident reporting, investigation, containment, eradication, and recovery. Coordinating with relevant stakeholders, such as legal, human resources, and communications, to ensure an appropriate and timely response.

• Security Awareness and Training: Promoting a culture of security awareness within the city through training and education programs to include KnowBe4. Ensuring that employees understand their roles and responsibilities in safeguarding information assets and adhering to security policies and procedures.

• Compliance and Regulations: Ensuring compliance with relevant laws, regulations, and industry standards pertaining to information security. This includes keeping up to date with changing regulatory requirements and implementing necessary controls and procedures to meet compliance obligations.

• Security Governance: Establishing and maintaining a governance framework for information security, including the development of security policies, standards, and procedures. Providing guidance and support to other business units and departments to ensure security considerations are integrated into their processes and systems, understanding that cybersecurity is a business issue, not an IT issue.

• Security Architecture: Collaborating with IT and other relevant stakeholders to design and implement a secure technology infrastructure. This involves evaluating and selecting appropriate security technologies, conducting security reviews of system designs, and ensuring that security controls are integrated throughout the technology stack.

• Vendor and Third-Party Risk Management: Assessing the security posture of vendors and third-party partners that have access to the organization's systems or data. Establishing and implementing processes to evaluate, monitor, and manage third-party risks effectively.

• Security Incident Reporting and Metrics: Developing and maintaining security metrics and reporting mechanisms to provide regular updates to executive management and other stakeholders. Tracking key security indicators, such as incident trends, threat landscape, and security program effectiveness, to facilitate decision-making and continuous improvement.

Required Qualifications:

• Work requires specialized knowledge in a professional or technical field. Work requires a professional level of knowledge of a discipline which is typically acquired at a Bachelor’s degree-level of study in Information Security, Computer Science, Information Technology, or related field.
• A minimum of 7 years’ experience in cyber / information security, risk management, and information technology or operational technology security, preferably with 5 years in a leadership role.

Preferred Qualifications:

• Master’s degree preferred (bonus for a Master’s with a Cybersecurity focus).
• Preferred certifications include:
• Certified Information Security Manager (CISM)
• Certified information Systems Security Professional (CISSP)
• Certified Ethical Hacker (CEH)

• Valid Driver's License required
• Must be able to work regular on-call rotation shifts
• This is an essential position and must be able to report to work as directed in the event of an emergency or natural disaster, and be expected to work unusual shifts and hours
• Work Location: 800 E. City Hall Ave., Norfolk, VA 23510
• Work Hours: This position works forty-hours per week Monday – Friday 8am to 5pm to accommodate operating hours. On-call weekend and after-hours support is required on a rotating basis. This position is an Essential position, which requires attendance during emergencies, delayed city openings and special weather events.
• Signing Bonus: This position is eligible for a one-time $5,000 signing bonus for applications received on or after February 22, 2022. The signing bonus will be paid in two (2) increments: $2,500 upon completion of 60 days of employment, and $2,500 upon completion of your probationary period. To receive the signing bonus, you must be an active employee in good standing.